The Internet of Things – the good news and a cautionary tale
November 2015 | EXPERT BRIEFING | RISK MANAGEMENT
The Internet of Things, also known as IoT, is a relatively new phenomena that comes with great benefits and some potential high risks. While we enjoy the benefits, we ignore the risks at our peril.
The Internet of Things
A few years ago, no one but a few techies had even heard of the Internet of Things. Broadly speaking, the ever-growing IoT refers to devices connected to the internet for the purpose of information transfer or process automation. Building owners and managers and homeowners are installing more and more devices that yield productivity, cost savings and pure pleasure. The usages for these devises is almost limitless and includes lighting, security, HVAC, communications, cell phones and their many apps, parking, utilities, scheduling and digital storage. Their boost of productivity, sustainability and convenience is a real plus and very good news for all of us.
Unintended and unforeseen risks
To put it bluntly, there are some serious unintended consequences that come along with the good news. These downside consequences arise from these devices and processes being installed and connected to the internet with little or no understanding of the cyber exposures they bring with them. In a word, they open a client’s most precious assets to intrusion and theft.
The Target breach is a vivid case in point. The intruders got into Target’s trove of customers’ personal information through its HVAC vendor (a classic IoT combination) and did it in such a way that Target did not notice the theft of its customers’ files until it was too late to do anything about it. Security professionals were not surprised. They know that the IoT has expanded the attack surface for the bad guys. Devices that that are increasingly embedded in home and building ecosystems provide many more internet points of entry for intrusion.
So, you might say, while Target, was obviously an inviting ‘target’, no one would target my business – we are simply too small for anyone to care. In light of the May 2013 Verizon 2013 Data Breach Investigations Report, and other similar reports along the same lines, you might want to reconsider. “The ‘I’m too small to be a target’ argument doesn’t hold water,” the report states. “We see victims of espionage campaigns ranging from large multi-nationals all the way down to those that have no staff at all.”
Other studies reporting that about 80 percent of cyber attacks are aimed at small businesses are equally sobering. According to Aeris Secure LLC, “The scary thing about this number is that the small businesses are usually the least equipped to protect against an attack. Most hackers will prey on the weak. With technology being so prevalent in all businesses, few can afford to NOT pay attention and do whatever they reasonably can to protect their business and assets.”
A disturbing recent development for small businesses is the rise of ‘ransom-ware’ where a predator infects a company, usually a small one, with an encryption virus which encrypts the target’s data. The predator then demands a payment to provide the key. The payment demands to date have been small and businesses usually pay them because the cost of pursuing other remedies is much higher. Imagine, however, this model being applied to a modern building where the predator takes over the elevators and demands a ransom to turn them back on.
Meeting the risks head-on
This should be a wake-up call for all business owners. If you are paying attention but are simply overwhelmed by the deluge of scary information hitting your inbox every day, the question becomes: “What can a business owner reasonably do to protect the business from cyber attacks emanating through the Internet of Things that likely will result in loss of critical assets, reputation and remediation time and money?” You can and should be able to address your IoT exposures, and many others associated with your internet presence, efficiently, cost-effectively and in a timely manner. Because your exposures are both IT and non-IT, your counsel and trusted IT governance and security partners should be on your team. A few lawyers are recognising that, in this ever-expanding cyber risk field, lawyering alone will not get the job done. By the same token, forward-thinking IT governance and security professionals know there is a lot more to the incoming risks that can be handled by IT protection alone.
A few concrete examples of the appropriate lines of inquiry should make the case. For starters, lawyers should, at a minimum, review their client’s: (i) social media policies and practices to ensure it has them and is doing the right thing in using social media, or not, in its hiring; (ii) contracts with its Cloud computing vendors to ensure they provide the actual location of the client’s data, what kind of security safeguards the vendor has in place, and whether the vendor can execute a legal hold on data when instructed to do so by the client; (iii) privacy practices including a policy vetted by counsel and posted appropriately, and effective access control requirements; and (iv) compliance with state and federal statues regarding data security, including HIPAA.
The client’s IT governance and security professionals should review the client’s: (i) computer system usage policies and procedures, employee access rights, backup protocols and change management policies; and (ii) computer system overall security including enterprise management of records, tested firewalls, detection of unauthorised access, and regular penetration testing.
Companies that do not have any building control systems or other processes in use should be risk-free from IoT concerns. Those that do have internet-connected devices and processes in place should make sure that, at a minimum, they have an inventory of these processes and devices, have security in place for all of them, monitor them on a continuous basis so that they become aware of malfunctions in real time, and conduct audits and testing on a regular basis to verify the operation and security of the devices and processes.
Governance big picture and bottom line
It is critical that leadership at the top sees data, device and process security as an enterprise concern. Breaches can hurt every department and aspect of the business which will, in turn, hurt the company’s profitability and reputation. Budget fights between departments have no place, since the security budget should be a company-wide budget with the cost shared across the enterprise.
With the right legal counsel and IT governance and security professionals on your team, companies can effectively address both the IT and non-IT risks embedded in the IoT. It is prudent to consult counsel and ask for a plan to assess and remediate real time risks. The goal should be to achieve the ability to make informed risk management decisions about these multiple risks, specifically whether to remediate them, transfer them by way of cyber insurance, or ignore them. Whatever the decision, the company will be much more likely to make the right call with the right cross-disciplinary team in place.
Ned Dunham is of counsel at Kleinbard LLC. He can be contacted on +1 (267) 443 4109 or by email: firstname.lastname@example.org.
© Financier Worldwide